Forensic Blogs

An aggregator for digital forensics blogs

by

Data Recovery Blog 2

Putting Hard Drives to the Test

At the LCDI, we believe your data is important, and surely most would agree. The pictures of your family vacation are important, but what about your passwords? The hard drives that are in most computers store your data, leaving it open for anyone with the proper knowledge to find it and use it if not disposed of properly. This is not a new problem, as online computer news articles from almost 20 years ago described past experiences of people who purchased old hard drives and discovered the data of the last user.

The foundation of our goal is to ensure an understanding of deleting and storing data. Through our research, we have found free and available data recovery programs and sleuth kits to check data drives. Our investigation required a set of samples to test our techniques and programs. We bought a myriad of used hard drives from all over the internet. These previously belonged to other people, so it’s likely that remnants of the past user are still on them. The majority of online sources claim the drives they sell are clean “wiped”, but we’ll put that to the test. How clean can a hard drive be and what do these standards look like?

Using Sleuth Kits to Recover Data

In our last blog post, we explored the National Institute of Standards and Technology and the Department of Defense’s deletion standards which would be a clear indicator of security. The drives we purchased allow us to explore the effectiveness of each method compared to each other. After we’ve used the wiping standards, we must test the ease at which someone could recover the deleted data. In the lab, we have been busy looking at the Sleuth Kit tools to get that job done. The software we use is freeware and open ware, ensuring availability without special permission or a fee.

We have gone through a variety of software already, including Autopsy and Wise Data Recovery, two professionally used Sleuth Kits.

Autopsy examining deleted files

In the above image, we have pulled up a sample image file in Autopsy. In this sample, the previous user had deleted 10 images. The tool used a computer image file to carve data present but unlabeled, which we could then review.  The image file we loaded contained the deleted files. Although the computer preserved the data of the file, it lost the links for the file system to access it. These deleted files turned out to be various jpgs of different colors and text. The tool carved the data left within the computer and presented it to us similarly to the sample image below.

Wise Data Recovery loading files

Though this program is not as in depth as Autopsy, Wise Data Recovery was still able to get a good amount of information. This program allowed us to scan the Local C Drive, and we were able to load the files into the program for research and investigation.

These programs are used in professional settings and are free to download. However, the question arises: if these are available to everyone, what does that mean for your data? Anyone who has a computer and a way to attach your drive could snoop through your old data, which is the exact reason we work to share this information. What’s more alarming is these two programs don’t show the full extent of the files that could collect your data. There is no way to be sure that the next person will not have the ability to collect your data, or even how much they could gleam from the drive. 

Exploring Physical Drives and Virtual Machines

The recovery of data is very accessible and it should be taken into account when deleting data. In the coming weeks, we look forward to working with the physical drives and exploring the techniques and depth of data that can be extrapolated from something as small as a picture.

To stay updated with our progress, check out our Twitter, Instagram, and Facebook.

The post Data Recovery Blog 2 appeared first on The Leahy Center for Digital Investigation.

by

Data Recovery – Blog 1

The Science of Data Recovery

Do you think your deleted data is truly gone? Every day, people around the world share, save, or move critically important data, like credit card numbers, medical checks, and passwords. It wouldn’t be unreasonable to think that the delete function erases files forever, but the truth is that those files could still exist.

In an age where computing power doubles every two years, we replace hardware quickly. The data from old devices doesn’t disappear from storage, even if we delete it. Criminals could use the photos, files, and even names of the previous owners left on these devices to exploit someone’s funds or position of trust. Our goal at the LCDI this semester is to see if we can find personally identifiable information left behind on old hard drives that were “wiped” using free and available programs. 

What is Personally Identifiable Information?

A good place to start when talking about this subject is the basics: What is PII? Personally Identifiable Information is data that could allow others to identify you. This information is critical, as often even small pieces of data fall into the wrong hands. The data allows people to impersonate you or gain access to your identity. Social Security numbers, credit card numbers, and a driver’s license are all common examples. This even extends to smaller pieces of data, like birth location, place of work, and your username on social media.

Though this information may seem random, password recovery for websites uses this information. They can obtain the data in many ways. Websites asking for your information is the most common, but phone calls or lost wallets have long been exploited. Digital data is akin to a wallet, full of personal information and liable to theft. With online shopping being the zeitgeist of the consumer world, this has never been more of a concern than now.

How is data deleted?

We started our project by researching what’s established, including ways people previously deleted data and how it’s done now. There are no universal data deletion instructions or laws for non-government officials to follow, but rather a list of previous and current methods. We looked at government bureaus for practical data deletion standards. The National Institute of Standards and Technology’s SP 800-88 Media Erasure Guideline and the Department of Defense 5220.22-M ECE are two such examples. The documents differ on acceptable and appropriate methods for different levels of data security. The DoD standard states that the only way to destroy data forever is to destroy the device itself. The NIST protocol states only one digital wipe is necessary for data destruction.

Digital wiping or a “wipe” is the nonphysical option. This is the replacement of all data with a few of patterns, like random zeros and ones, or multiple replacements of random integers from zero to nine. The number of times this process occurs changes, but traditionally, it’s been between one and seven times. The reason behind the variation is the security of the information and the risk of recovery. The importance of the data could be trivial, like a grocery list from 5 years ago. On the other hand, it could be as severe as losing the PII of a secret agent in the field.

The digital wipe is less expensive, but also less secure due to the possibility of remaining data.  This is possible no matter how many wipes have occurred. Physically destroying a hard drive can be favorable because it prohibits the device from any future use, but it’s more expensive to replace the lost device.

Benefits of Physical Destruction

There are multiple ways to physically destroy a hard drive, but the goal is to damage or destroy the platter. The platter is a small metal disk in all hard drives where it writes and reads the data. The simplest and most available way is to destroy the hard drive physically, by hitting it with a hammer or large object. Another method is the magnetic degaussing. The process takes the iron oxide within the platter, a necessity for storing data, and uses it to remove the magnetic readings written on it.

The physical effects depend on the intensity of the magnetic field. Oersteds measure the amount of energy in the magnetic field, and the higher the oersteds, the more capable degaussing is at destroying data. However, not all magnetic marks can be easily removed. Hard drives’ resistance to the magnetic field is called coercivity, and the more intense the coercivity, the more oersteds needed to degauss. Shredding the hard drive or incinerating it are also viable methods. Machines capable of these methods are more suited for large scale businesses due to the high cost, but companies do provide these services.

Conclusion

Nothing’s scarier than discovering a lost wallet. That feeling is the reason our mission is so critical in our society. We integrate technology into work, recreation, and security, as well as our money and data. The point of our research is to identify if PII data is still left on hard drives after “wiping”.  Next week, we plan on investigating data recovery freeware and delivering our verdict on what it means for data disposal. 

 

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI to keep up to date with our progress!

The post Data Recovery – Blog 1 appeared first on The Leahy Center for Digital Investigation.